7.8
HIGH
CVE-2024-49884
Linux Kernel Ext4 Slab Use-After-Free Vulnerability
Description

In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates.

INFO

Published Date :

Oct. 21, 2024, 6:15 p.m.

Last Modified :

Nov. 8, 2024, 4:15 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

5.9

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2024-49884 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-49884.

URL Resource
https://git.kernel.org/stable/c/393a46f60ea4f249dc9d496d4eb2d542f5e11ade
https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238 Patch
https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3 Patch
https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18 Patch
https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9 Patch
https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f Patch
https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe Patch
https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185 Patch

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-49884 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-49884 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 08, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://git.kernel.org/stable/c/393a46f60ea4f249dc9d496d4eb2d542f5e11ade [No types assigned]
  • Initial Analysis by [email protected]

    Oct. 25, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238 No Types Assigned https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238 Patch
    Changed Reference Type https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3 No Types Assigned https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3 Patch
    Changed Reference Type https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18 No Types Assigned https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18 Patch
    Changed Reference Type https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9 No Types Assigned https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9 Patch
    Changed Reference Type https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f No Types Assigned https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f Patch
    Changed Reference Type https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe No Types Assigned https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe Patch
    Changed Reference Type https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185 No Types Assigned https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185 Patch
    Added CWE NIST CWE-416
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.18 up to (excluding) 5.10.227 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.168 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.113 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.55 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.10.14 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.11 up to (excluding) 6.11.3
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Oct. 21, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates.
    Added Reference kernel.org https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-49884 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-49884 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: